diff options
| author | Yuto Hamaguchi <Hamaguchi.Yuto@da.MitsubishiElectric.co.jp> | 2025-12-19 20:53:51 +0900 |
|---|---|---|
| committer | Sasha Levin <sashal@kernel.org> | 2026-03-04 07:20:18 -0500 |
| commit | 29f51913cb77c0ab779d85683d9c832685e630bf (patch) | |
| tree | 902235ee4395b79548a1a28f97f2349d2e856011 /net/netfilter | |
| parent | 74431472d16eb54e9451b2060f74a3d35e8bdc8b (diff) | |
| download | linux-29f51913cb77c0ab779d85683d9c832685e630bf.tar.gz linux-29f51913cb77c0ab779d85683d9c832685e630bf.tar.bz2 linux-29f51913cb77c0ab779d85683d9c832685e630bf.zip | |
netfilter: nf_conntrack: Add allow_clash to generic protocol handler
[ Upstream commit 8a49fc8d8a3e83dc51ec05bcd4007bdea3c56eec ]
The upstream commit, 71d8c47fc653711c41bc3282e5b0e605b3727956
("netfilter: conntrack: introduce clash resolution on insertion race"),
sets allow_clash=true in the UDP/UDPLITE protocol handler
but does not set it in the generic protocol handler.
As a result, packets composed of connectionless protocols at each layer,
such as UDP over IP-in-IP, still drop packets due to conflicts during conntrack insertion.
To resolve this, this patch sets allow_clash in the nf_conntrack_l4proto_generic.
Signed-off-by: Yuto Hamaguchi <Hamaguchi.Yuto@da.MitsubishiElectric.co.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_generic.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c index e831637bc8ca..cb260eb3d012 100644 --- a/net/netfilter/nf_conntrack_proto_generic.c +++ b/net/netfilter/nf_conntrack_proto_generic.c @@ -67,6 +67,7 @@ void nf_conntrack_generic_init_net(struct net *net) const struct nf_conntrack_l4proto nf_conntrack_l4proto_generic = { .l4proto = 255, + .allow_clash = true, #ifdef CONFIG_NF_CONNTRACK_TIMEOUT .ctnl_timeout = { .nlattr_to_obj = generic_timeout_nlattr_to_obj, |